Share this post

Link to post

Share on other sites

Use the function [a href=\"http://www.php.net/mysql_real_escape_string\" target=\"_blank\"]mysql_real_escape_string()[/a] instead of [a href=\"http://www.php.net/addslashes\" target=\"_blank\"]addslashes()[/a]. The former will work with multi-byte characters and it will quote more characters that can cause problems with mysql than the latter. Also, I have found that you don't have to remember to use the funtion [a href=\"http://www.php.net/stripslashes\" target=\"_blank\"]stripslashes()[/a] when retrieving the data from the database.

Share this post

Link to post

Share on other sites

you have form don't you. And you have a php form that makes an insert into the db.

you are taking a value like :[code]$value = $_GET['value'];[/code]and then inserting it something like:[code]mysql_query("INSERT INTO .... values ('$value')");[/code]

you have to insert addlashes or mysql_real_escape_string or str_replace or whatever you intend to do before sending it to the query so your code should like:[code]$value = $_GET['value'];$value = addlashes($value); mysql_query("INSERT INTO.... VALUES('$value')");[/code]Got that?